Topic: [ANN][DASH] Dash (dash.org) | First Self-Funding Self-Governing Crypto Currency - page 5514. (Read 9723748 times)

I don't think shutting down ports would have done him any good as long as he kept 22 open.  My vote is for root access through SSH + easy root password.  Really though it was a CF all around, and changing any one of several things could have prevented the attack.

Really, though?  Who the HELL puts a machine on the Internet allowing root access through SSH?!  And without, like, a 15+ character password?  ALWAYS use sudo, ALWAYS use difficult passwords for all sudoers, ALWAYS have somewhat obscure usernames for valid SSH logins (not "john" or some crap).

Can you not just shutdown all ports on the private IP?

In other news, the DRK price has traded within a relatively narrow range for the past several hours on Mintpal, roughly from .017 to .0185 (and in the past 2 hours even tighter within .0175 to .0182), on lower than usual volume.  The buywalls have been generally taller and more durable than the sellwalls, but there simply hasn't been much action.  Current price, .01778, a good 150BTC buywall at or above .0170, and 104BTC in a more gently sloped sell stack at or under .0190.  Volume around 21BTC in the past hour.

https://twitter.com/DarkcoinCrypto

This is why Im moving mine to a dedicated server.
I just cant settle on where.

is there twitter for dev news like this?

I don't think it was mentioned anywhere, but I just want to make sure. This guy obviously setup the MN with the coins stored on the MN box, right?

With all due respect, of course they would.  The disinformation campaign would simply ignore its existence while they reached out to FAR wider audiences of people ignorant of the details.

Once people have their minds made up for them in that way it is very hard to get them back in any meaningful quantities.

Quote from: Raggie on Today at 04:17:36 AM
I guess those XC pumpers dont want ppl to buy sync. So they played with the market during their pump. Make it looks like ppl were dumping sync for XC.

There were whale miners with them dumping mined sync on purpose also,just want ppl to buy other coins which is being pumped. And, those pumpers&miners holding a lo...t of XC waiting to dump to us at a pumped price.

Same thing happening with DARK now.  They don't like ppl to buy dark.  Pump xc because they need to sell.. you guess what？ sell their hardwares. Dark coin block reward decrease when diff go up.So we lessly want to buy new hardwares, and they don't like this.  


Let us Hold dark,and rip XC.

I think cold storage and ISO's are going to be an evil necessity. It would be nice to have only 100% linux competent people run masternodes but that shit aint gonna happen.

He did not shutdown ports is biggest error, IMHO.

Amazon AWS EC2

I'm not sure why this is the recommended way to run a masternode, but I can tell you I have enough for 1 MN and I was  planning to run one (on the day we had so much problems which stopped my plan).

I never considered Amazon EC2 as an option because of security.

I have an Amazon EC2 server right now.  I'm connected to it.  It's my OpenVPN server and also my PPTP server (for tablets/cell phones).  I've had at least 1 EC2 instance for over a year so it hasn't been free for me for many months now.  I still pay.  I like my server.  Nothing on it that's worth anything if a hacker hacks it.

So why I never considered an EC2 as a masternode?  It's because the EC2 has 2 IP addresses.  One on the internet (which everyone in the world can see).  This IP address is quite secure (oddly enough) per your Security Group definition.

The private IP is the problem.  It will look something like this  10.2xx-1xx-61.  I was able to ssh to the private IP from one EC2 to another (using certificate, of course, don't consider username/password).  So other ports are also open.  Even if they are not open on the Security Group/Internet IP.  This is now a matter of securing your EC2 applications/OS/network-FW.

One of the EC2's I was running in the past was an Asterisk VoIP server.  Fail2Ban was full of attempted attacks from China, Brazil, etc.  Why was it odd?  Well my Security Group was defined to only accept connections from Tmobile network and other networks I defined.  My Internet IP was not reachable outside of those networks.  But the "private" IP shared with everyone on the Amazon cloud (i.e. Netflix, maybe I should hack them, lol) was accessible to these hackers.  Think of your home network shared with thousands and thousands of unknown's.  Sure, your Windows XP box is secure with a firewall (lol), but against thousands of attackers, it will probably fall.

I would not run a Masternode on a VPS and definitely not on an Amazon EC2.

I have this as my stratum-server   http://goo.gl/cpFXg8     upgraded to 2GB.  It's low power.  No need for a hard drive.  Install Linux on a USB 16GB  (around $12).  Plug in temporarily to monitor during setup.  Afterwards; ssh with byobu-enabled (screens but better).  What more you need?  This behind my ddwrt router which I have full control, I can trust to run my Masternode with only port 9999 open.  I don't think Masternode needs RPC.

Just my .02 DRK humble suggestion...

The ultimate solution would be to enforce certain standards from within code. Not impossible, but not feasible either. I agree with the perception problem. However, if an exhaustive list of standards is published, then the general public would have no course for propagating their false perceptions of risk with running a masternode. We need to at least make people aware of alternate hosting options under a managed service contract, etc. The way things currently are we are throwing lambs to wolves.

Why do we need this second rate exchange now? Someones needs to give a nice DRK tip to BTC-E owners.

no hang on me, chrome latest version

+1

Like I said a month and a half ago: "Precisely why we need a comprehensive, idiot-proof guide to help people set them up. Not because they should, but because they inevitably will whether we like it or not, especially when there's profit to be had."

And  how do you propose to make anyone give a fuck about following these things?

Far more importantly, how many cases of what happened to the guy a few pages back do you think there will need to be before the troll brigades have half the world convinced that DRK is somehow unsafe because of idiots running masternodes?  Doesn't matter if it's true or not.  Perception is truth in practice, and it's all that matters in this case.

Use of ISOs is a bad idea. What needs to be done is a published set of standards for hardening, a baseline for all OSes, then a set of standards for operations and maintenance for ongoing scans, remediation.

I want to host with a company that provides this service for a fee. I next concern will be for their security being a target by co locating so many MNs. There is still a risk hosting with a company.
[/quote]

Absolutely! Thus people who work in the IT security field know not to make a full guarantee of security ever. You promise to be proactive and remediate findings within a certain period of time, and beyond that is all luck. If someone intends to compromise you, it's a matter of when. Your responsibility as the system owner is to make it financially unfeasible to do so.